Microsoft denies its pledge not to sue security researchers is new
Microsoft's manager for security response communication told BetaNews this afternoon that a pledge made by a company representative at a security conference was not, as some sources reported from the scene, a change in policy.
"Microsoft did not announce anything new at ToorCon Seattle regarding its position on responsible disclosure, but we did mention our industry leading online services acknowledgement, which went public in July of 2007," stated Microsoft's Bill Sisk to BetaNews this afternoon. "Because we will not pursue legal action against researchers who report vulnerabilities to us responsibly, we hope to encourage those who want to help us protect customers to feel free to do so without fear of repercussions."
While this weekend's story on the pledge, which was characterized as "a first for a major company," ranked highly among news aggregators this morning, there is ample evidence to support Sisk's statement. The lady who made the pledge -- or, in this case, repeated it -- was Katie Moussouris, whom Microsoft hired last May after having founded Symantec's Vulnerability Research division.
During her tenure as a security strategist, the company has taken significant steps toward ingratiating itself among independent security researchers, including pledging not to sue responsible parties. An FAQ on Microsoft's Web site posted well prior to last weekend currently reads, "Microsoft will not pursue legal action against security researchers that responsibly submit potential online services security vulnerabilities."
Moussouris participated in a public panel discussion on the subject of research disclosure last November 15, joined by her former Symantec colleague, a counterpart at Oracle, and a field branch officer for the US Secret Service.
A few months prior to that time, Microsoft's BlueHat Security Briefings, held twice annually, did objectively explore the problem of legitimate researchers' disclosure. Specifically, last fall, it explored the fact that full disclosure from researchers to technology companies, and vice versa, does not automatically stop the authorities in many countries, including the US, from prosecuting either or even both parties.
On September 28, the BlueHat event's blog posted this article from Rain Forest Puppy, the noted author of a suggested legitimate researchers' policy paper, pointing out that the proposed RFPolicy assumes that corporations won't use the laws of their respective countries as countermeasures against researchers, if they happen not to like the results they find.
"There's no real practical way to change the act of looking for security problems in a third-party hosted web site such that it is 100% clear that the act/intent is not malicious (with the exception of gaining permission to perform such activity, ahead of time)," writes Rain Forest Puppy. "Further, the laws and precedents of many countries are very clear regarding cybercrime...and they directly define, encompass, and punish the activity that many well-meaning security researchers believe they can perform against third-party web sites regardless. Yes, these well-meaning security researchers may not have a malicious intent, but intent is often an after-the-fact designation that may not be considered before the activity is considered and prosecuted as cybercrime."
The RFPolicy author suggests that researchers use written disclosure documents to help protect their causes as well as to show non-malicious intent. But the suggestion goes on to say that corporations will need to step up their involvement in security research, even from independents, in order to help shield those researchers from prosecution.
Microsoft's team added this addendum to that post: "Microsoft has long understood the importance of thanking and acknowledging responsible researchers. We have an acknowledgement policy that includes online vulnerability finders, and a FAQ that explains how it works."
Today, the company's Bill Sisk reiterated that policy: "As we have done for many years, we continue to work closely with security researchers and encourage responsible disclosure of vulnerabilities in our products as well as for online services. If a vulnerability is responsibly disclosed, we will publicly credit the researcher for his/her assistance. We believe responsible disclosure serves everyone's best interests, by helping to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities with no exposure to malicious attackers while the update is being developed."